Hackers aren't criminals
-- they're the best kind of
security
LAIRD BROWN
Tuesday, August 15, 2000
Victor Keong, a computer security
specialist with Deloitte & Touche, recently
advised us in this column not to hire
hackers (Don't Hire DefCon Hackers --
Aug. 8). Specifically, we shouldn't hire
hackers who attend DefCon, the world's
largest hacker convention held annually
over the past eight years in Las Vegas. We
should hire Mr. Keong and others like him,
he says, because he is not a hacker, nor
does he have body piercings, dye his hair
blue, or use a pseudonym. Forgive me for
not taking his advice.
Mr. Keong, I'm certain, is a very
competent security professional. He is not,
however, very well attuned to the hacking
community. His commentary read like a
cautionary tale against hiring accountants
from the Mafia. It's good advice, if he had
all of his facts right. But since he mentioned
by name someone whom I have just hired,
I would like to correct some
misperceptions.
Some hackers use handles, as do rappers
and CB radio operators. Big deal -- it's a
cultural thing. And Mudge, one of the
world's most famous computer security
experts, uses one too. I just arranged for
Mudge to serve on our technical advisory
board, along with two other hackers
Dildog and Reid Fleming.
But back to Mudge. He's an A-list hacker
-- he's not a criminal, an amoral
supergenius or an irresponsible person. He
is -- the singularity of his name
notwithstanding -- the founding director of
the Lopht, a hacker think tank in Boston;
an adviser to U.S. President Bill Clinton on
Internet security; and, vice-president of
research and development for @Stake, a
company dedicated to securing the Internet
economy. Interestingly enough, Mudge and
Mr. Keong compete for many of the same
clients, although I'm willing to allow that
Mr. Keong might not have known this.
So what exactly is a hacker? First, let's
define what a hacker is not. A hacker is
not a criminal. The people with funny
names who are arrested for stealing credit
cards or shutting down Yahoo are not
hackers. They are criminals. Other people
with funny names who advise the president
of the United States, NASA, and various
three-letter agencies, are not criminals.
They are computer security professionals.
Granted, not everyone who attends
DefCon has a client list like Mudge's, but
some approach it.
DefCon was originally organized to put
hackers together with law enforcement. In
fact, one of the most amusing parts of this
convention is the "spot the fed" contest.
This is a game in which feds who try to
attend covertly are publicly outed. It's all in
good fun, and in fact, the feds love it. They
come to DefCon to learn alongside the
hacking community about the
bleeding-edge exploits that will haunt
Internet security. They also show up to do
some recruiting, unlike Mr. Keong. The
feds have learned something that business
would do well to emulate If you want to
catch a cracker, you'd better hire a hacker.
Playing on stereotypes does not advance
public understanding of the hacker
community. Of course, many DefCon
attendees do fall into the Hollywood cast
of hacker misfits. But the majority of
people whom I trust and know well evade
such convenient labelling. My only
disappointment with DefCon this year was
that two hackers whom I wanted to hire
are currently unavailable. Perhaps if I toss
some body piercings and tattoos into the
employment package, they might take me
up on the offer.
Laird Brown is the minister of
information for openCOLA, an
open-source development company
based in San Francisco and Toronto.